An Open Letter to Human Resources Teams

March 28th, 2017

Every few years, it seems, the information security community has a renewed interest in, and debate over, the value of certifications, degrees, experience, etc. in helping information security professionals land jobs. Along with this renewed interest comes a spate of blog posts and articles that aim to help those new to the industry advance, and advice for varying levels of professionals who want to move up, move on, and so on. Unfortunately, we’re still talking to one another (security folks talking to other security folks). Nothing wrong with that, but I want to direct this post to human resources teams. I hope that’s you, and I hope you take my words to heart. If you’d like to read some other posts that I find useful and relevant, I’ve linked them at the bottom of this one, as well.

First, please learn to differentiate between technical security positions and compliance/risk/governance positions. While that sounds like a banal statement, I really think many HR teams don’t understand the difference intrinsically, and it’s a critical one. GRC professionals need a different background and skill set than technical ones, although there is certainly some overlap. When hiring people for GRC positions (risk analyst, compliance analyst, etc.) look for the following:

IT certifications like the ISACA CISA/CISM or the CISSP (it’s relevant here, more in a moment)

For technical positions, well…things are a little different. And here’s the fact of the matter today (and critical point #2): THERE ARE NO CERTIFICATIONS THAT PROVE A TECHNICAL SECURITY PROFESSIONAL CAN DO THE JOB. ALMOST. Lest you think me wishy-washy, let me explain. Much has been said about certain certifications in the realm of information security. As someone who teaches regularly for SANS (https://www.sans.org), and helps numerous students attain the GIAC certifications that go along with SANS courses (http://www.giac.org), I see both sides of the certification argument. Most do not do anything to really prove technical proficiency, to be fair. Do they show a bit of motivation? Sure. Maybe some knowledge. But the GIAC exams are open book. You can look up the answers during the test. It’s a lot of material, and so it’s not necessarily easy, but these are exams that show some knowledge and motivation, and not a lot more. The CISSP is even worse, in many ways. It’s held up as the “gold standard” in the industry, but does NOTHING to indicate that a technical security professional knows how to do the job. So here’s my request:

If this is a junior position, maybe a college degree in computer science or information systems, but most degree programs are woefully inadequate in preparing kids for real work in this field, sadly. Information assurance degrees are barely better. So don’t use this as your true measuring stick, trust my 20 years of experience in this field, seriously.

MAYBE a certification as a differentiator or proof of motivation, but that is it. Don’t require this – it’s a trap, and a silly one. The CISSP, especially – it is a great general base of knowledge, but has ZERO bearing on true skills.

More than anything else, challenge your information security team/department to require a TECHNICAL INTERVIEW. As in, hands on keyboard. Do not trust someone’s resume, or great interviewing skills, alone. Make them DO something. This really shouldn’t be a stretch – but for many, it sadly is. Require candidates to actually demonstrate technical proficiency before hiring them. Crazy, I know.

I know hiring talented information security professionals is hard. There’s not enough of us, and it’s getting harder than ever to really find talent. This post may not make your job any easier. But trust me – the certification market is a bit of a racket, and it’s not providing nearly the value you may think it is. For GRC positions, the base of knowledge provided by the CISA, CISM, or CISSP is a good thing to have, and might prove valuable if contrasting one candidate to another. But with technical people, these are largely meaningless. Many of the best security professionals I know have none of them, and do not care about acquiring them. If you are hiring for a senior position (15+ years of experience), don’t even BOTHER with certifications – they are 100% useless and meaningless. Seriously.

Please know, this is not an anti-certification message. They have value. I like seeing people get them, and they should get them if they are so inclined. If you have two TOTALLY EQUAL CANDIDATES, and one has the certs and one does not, the cert may indicate a wider breadth of knowledge or more motivation to learn and improve, if nothing else. But don’t assume this, please.

Many, many great points in this article. It has been many moons ago that I took got my CISSP but if I remember correctly they never sold it as a technical certification, it was presented to me as a technical management certification. I think HR types have corrupted the definition in order to make their lives and screening tools easier. Although I am not sure why we need a CISSP and a CISM if that’s the case. I am a big fan of the GSE. In my humble opinion it should become the new Gold Standard for technical certs. Yes I understand that it’s hard but we are not junior server admins anymore. If you want to play in the big leagues things are hard, and unfair, and sometimes mean and sometimes just plain suck. But that is reality, or at least the reality I have seen in almost 15 years of doing security. My last point will be equally unpopular. There are no entry level jobs in information security. The people I look to hire have been superstars in a couple of different IT disciplines (preferably Networking and Unix administration) before they can even understand what is going on at the Enterprise Security level. Information security at any type of scale is a really complicated beast that moves at machine speed and has no room for you to make a mistake as a defender. The unfortunate reality is that taking the time to teach a new security staff member why packet structure is important or code analysis must be done will just never rise to the to-do list. I tell our people that at the Enterprise Security level everything we do is at a sprint, we expect new team members to be at sprinting capacity on day one!! We never slow down because our enemy never slows down. Offense drives defense. I am sure some people will disagree with me and say . No, no Mike you have to give people time to adjust and train them. To them I say “Great, would you please go tell the Chinese and Russians to slow their attacks down because I have a new team member who needs to learn how nextgen firewalls work” Does this lead to cherry picking from other teams, you bet and I am unabashedly telling you to do it. You need the best and brightest on your security team because that is who you are fighting.